EFFICIENT ROOT FINDING OF POLYNOMIALS OVER FIELDS OF CHARACTERISTIC 2
|
|
- Leslie Ellis
- 7 years ago
- Views:
Transcription
1 EFFICIENT ROOT FINDING OF POLYNOMIALS OVER FIELDS OF CHARACTERISTIC 2 Vincent Herbert (Joint work with Bhaskar Biswas) WEWoRC 2009 INRIA Paris Rocquencourt V. Herbert (WEWoRC 2009) SECRET Project Team # 1
2 Agenda 1 Motivation for code-based cryptography 2 Algorithms & Complexities 3 Speed Up McEliece Decryption 4 Results & Analysis V. Herbert (WEWoRC 2009) SECRET Project Team # 2
3 Motivation for code-based cryptography Why do we study Polynomial Root Finding? We face this problem in code-based cryptography. Indeed, McEliece-type cryptosystems are often based on Binary Goppa codes. Root finding is the most time-consuming step, in the implementation of algebraic decoding of Binary Goppa codes. R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pages , V. Herbert (WEWoRC 2009) SECRET Project Team # 3
4 Motivation for code-based cryptography What is McEliece Public Key Cryptosystem? Let us have an insight of the original version of McEliece. Public key : A binary linear [n,k] code C, i.e. a k-dimensional linear F 2 -subspace of F n 2, described by a generator matrix G. Private key : An efficient decoding algorithm for C up to the error correcting capacity t. Encryption : Map the k bits plaintext x to the codeword x.g, add e, an uniformly random error of length n and weight t. Decryption : Correct the t errors, unmap to get the message. This process is also called decoding. V. Herbert (WEWoRC 2009) SECRET Project Team # 4
5 Motivation for code-based cryptography What is a Binary Goppa Code? Let m > 0, n 2 m and a = (a 1,..., a n ) F n 2. The n-length binary Goppa code Γ(L, g) is defined by : Support L = (α 1,..., α n ) n-tuple of distinct elements of F 2 m ; Goppa polynomial g(z) F 2 m[z], square-free, monic of degree t > 0 with no root in L. Γ(L, g) is a subfield subcode over F 2 of a particular Goppa code over the binary field F 2 m. We have a Γ(L, g) if and only if : R a (z) := n i=1 a i z α i = 0 over F 2 m[z]/(g(z)). V. Herbert (WEWoRC 2009) SECRET Project Team # 5
6 Algorithms & Complexities How to decode Binary Goppa Codes? Let e, x, y be n-length binary vectors. We have to find x, the sent codeword knowing y = x + e where y is the received word and e the error word. We can correct up to t errors. Algebraic decoding is carried out in three steps : 1 Syndrome computation R y (z) = R e (z) = n i=1 e i z α i over F 2 m[z]/(g(z)). 2 Solving the Key Equation to obtain the error locator polynomial R e (z) σ e (z) = σ e(z) over F 2 m[z]/(g(z)). 3 Error Locator Polynomial Root Finding n σ e (z) := (z α i ) e i ; σ e (α i ) = 0 e i 0. i=1 V. Herbert (WEWoRC 2009) SECRET Project Team # 6
7 Algorithms & Complexities How to find the roots efficiently? Several approaches are possible, their efficiency depends on the size of parameters m and t. Chien search computes roots by evaluating artfully the polynomial in all points of L. This method is recommended for hardware implementations and coding theory applications in which m is small. BTA is a recursive algorithm using trace function properties. It is a faster method for secure parameters in McEliece-type cryptosystems. V. Herbert (WEWoRC 2009) SECRET Project Team # 7
8 Algorithms & Complexities What is the cost of the decryption? Let us recall, in practice, n = 2 m and mt n. Theoretical Complexity = number of binary operations required to decrypt in the worst case. Syndrome computation O(mnt) Key Equation Solving (w/ Patterson algorithm) O(mt 2 ) Error Locator Polynomial Root Finding Chien search O(mnt) Berlekamp Trace Algorithm (abbr. BTA) O(m 2 t 2 ) Experimental Complexity = average running time for the decryption. For recommended parameters (i.e. m = 11, t = 32), root finding with BTA (resp. Chien search) takes 72% (resp. 86%) of the total decryption time. V. Herbert (WEWoRC 2009) SECRET Project Team # 8
9 Algorithms & Complexities How does BTA work? Trace function Tr( ) : F 2 m F 2 Tr(z) := z + z 2 + z z 2m 1. The function Tr( ) is F 2 -linear and onto. We know that : i F 2, Tr(z) i = (z γ). γ s.t. Tr(γ)=i Moreover, we have : z 2m z = Tr(z) (Tr(z) 1). V. Herbert (WEWoRC 2009) SECRET Project Team # 9
10 Algorithms & Complexities How does BTA work? (contd) Let B = (β 1,..., β m ) a basis of F 2 m over F 2. Every α F 2 m is uniquely represented by the m-tuple : (Tr(β 1 α),..., Tr(β m α)). BTA splits any f F 2 m[z] s.t. f (z) (z 2m z) into linear factors by computing iteratively on β B and recursively on f : g(z) := gcd(f (z), Tr(β z)) and h(z) := f (z) g(z). BTA always successfully returns the linear factors of f. First call : f = σ e and β = β 1. V. Herbert (WEWoRC 2009) SECRET Project Team # 10
11 Speed Up McEliece Decryption How to reduce time complexity? The drawback of BTA is the large number of recursive calls when the system parameters grow. We reduce it by mixing BTA and Zinoviev s algorithms which are ad-hoc methods for finding roots of polynomials of degree 10 over F 2 m. We call this process BTZ in the following. BTZ depends on a parameter d max which is the maximum degree up to which we use Zinoviev s methods. V.A. Zinoviev, On the solution of equations of degree 10 over finite fields GF(2 m ), Research Report INRIA n 2829, 1996 V. Herbert (WEWoRC 2009) SECRET Project Team # 11
12 Speed Up McEliece Decryption Pseudocode of a simplified version of BTZ Algorithm 1 - BTZ(f, d, i) First call : f σ e ; d d max {2,..., 10} ; i 1. if degree(f ) d then return ZINOVIEV(f, d); else g gcd(f, Tr(β i z)); h f /g; return BTZ(g, d, i + 1) BTZ(h, d, i + 1) ; end if V. Herbert (WEWoRC 2009) SECRET Project Team # 12
13 Speed Up McEliece Decryption What are Zinoviev s algorithms? Zinoviev s methods find an affine multiple of any polynomial of degree 10 over F 2 m. The methods differ according to this degree. Affine Polynomial A(z) = L(z) + c where L is a linearized polynomial, c F q m. Linearized Polynomial L(z) = n l i z qi with q a prime power, l i F q m and l n = 1. In our case, q = 2. After that, finding roots of affine polynomial is easier than in the general case. i=0 V. Herbert (WEWoRC 2009) SECRET Project Team # 13
14 Speed Up McEliece Decryption Get an affine multiple of a polynomial of degree 2 or 3 Let us have an equation : z 2 + αz + β = 0, α, β F 2 m. Notice z 2 + αz is already a linearized polynomial. Nothing to do here. Now consider the equation : z 3 + az 2 + bz + c = 0, We have to decimate the non-linear terms. a, b, c F 2 m For this, we add one particular root by multiplying the left side by (z + a). We obtain z 4 + dz 2 + ez + f = 0 with d = a 2 + b, e = ab + c, f = ac. We get what we want, an affine multiple of a polynomial of degree 3. V. Herbert (WEWoRC 2009) SECRET Project Team # 14
15 Results & Analysis What results do we obtain? We specify a recurrence complexity formula for BTZ. We then use dynamic programming to estimate its theoretical complexity in the worst case. We thus determine the best d max to use to have the optimal efficiency on the following range of parameters : m = 8, 11, 12, 13, 14, 15, 16, 20, 30, 40 ; t = ; d max = Let K be the cost function of any operation over F 2 m. We take K(+) = 1 ; K( ) = 1 or K( ) = m. V. Herbert (WEWoRC 2009) SECRET Project Team # 15
16 Results & Analysis Conclusions & Perspectives For m = 11, t = 32, theory recommends d max = 5. Theoretical gain, in terms of number of operations over F 2 m, of BTZ with d max = 5 over BTA is 46%, the one over Chien method is 93%. The higher is t, the higher is the optimal d max, according to the theory. Practice confirms theory up to degree 3 at least. For instance with m = 11, t = 32 and d max = 2, BTZ takes 65% of the total time decryption against 72% for BTA and 86% for Chien. Implementation is in progress for greater parameters d max. V. Herbert (WEWoRC 2009) SECRET Project Team # 16
17 Danke schön WEWoRC 2009! Any questions or comments? Any further remarks or suggestions can be adressed at : Vincent.Herbert@inria.fr Slides will be available in a short time on : V. Herbert (WEWoRC 2009) SECRET Project Team # 17
18 Bonus Slides Why is it easier to find roots of an affine polynomial? Let us have an affine polynomial A(z) = L(z) + c = m 1 i=0 l i z 2i + c. Consider (α 1,, α m ) is a F 2 -basis of F 2 m, (l i ) 1 i m, c and x are elements of F 2 m. Guess x is a root of A. A(x) = 0 L(x) = c m m x i L(α i ) = c i α i (using linearity of L) i=1 m i=1 m x i l i,j α i = i=1 j=1 i=1 m c i α i (linear system in x i ) V. Herbert (WEWoRC 2009) SECRET Project Team # 18
19 Bonus Slides How does Chien search operate? Chien search is a recursive algorithm. We can say it s a clever exhaustive search. Let α be a generator of F 2 m and let f (x) = a 0 + a 1 x + + a t x t be a polynomial over F 2 m. f (α i ) = a 0 + a 1 α i + + a t (α i ) t f (α i+1 ) = a 0 + a 1 α i a t (α i+1 ) t = a 0 + a 1 α i α + + a t (α i ) t α t Set a i,j = a j (α i ) j. It is easy to obtain f (α i+1 ) from f (α i ) since we have that a i+1,j = a i,j α j. Moreover, if t j=0 a i,j = 0, then α i is a root of f. V. Herbert (WEWoRC 2009) SECRET Project Team # 19
20 Bonus Slides Let m > 0 and n 2 m. Second description of a Binary Goppa Code The n-length binary Goppa code Γ(L, g) is defined by : Support L = (α 1,..., α n ) n-tuple of distinct elements of F 2 m ; Goppa polynomial g(z) F 2 m[z], square-free, monic of degree t > 0 with no roots in L ; Γ(L, g) is a subfield subcode over F 2 of a particular Goppa code over binary field F 2 m which have parity-check matrix H. H := 1 g(α 1 ) 1 g(α 2 ). 1 g(α n) α 1 g(α 1 ) α 2 g(α 2 ). α n g(α n) α t 1 1 g(α 1 ) α t 1 2 g(α 2 ). α t 1 n g(α n) M n,t (F 2 m). Thus, we have a Γ(L, g) if and only if a.h = 0 and a F n 2. V. Herbert (WEWoRC 2009) SECRET Project Team # 20
Quotient Rings and Field Extensions
Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.
More informationIntroduction to Hill cipher
Introduction to Hill cipher We have explored three simple substitution ciphers that generated ciphertext C from plaintext p by means of an arithmetic operation modulo 26. Caesar cipher: The Caesar cipher
More informationPost-Quantum Cryptography #2
Post-Quantum Cryptography #2 Prof. Claude Crépeau McGill University 49 Post-Quantum Cryptography Finite Fields based cryptography Codes Multi-variate Polynomials Integers based cryptography Approximate
More informationLinear Maps. Isaiah Lankham, Bruno Nachtergaele, Anne Schilling (February 5, 2007)
MAT067 University of California, Davis Winter 2007 Linear Maps Isaiah Lankham, Bruno Nachtergaele, Anne Schilling (February 5, 2007) As we have discussed in the lecture on What is Linear Algebra? one of
More informationby the matrix A results in a vector which is a reflection of the given
Eigenvalues & Eigenvectors Example Suppose Then So, geometrically, multiplying a vector in by the matrix A results in a vector which is a reflection of the given vector about the y-axis We observe that
More informationLecture 13 - Basic Number Theory.
Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More information2.3 Solving Equations Containing Fractions and Decimals
2. Solving Equations Containing Fractions and Decimals Objectives In this section, you will learn to: To successfully complete this section, you need to understand: Solve equations containing fractions
More informationLightweight code-based identification and signature
Lightweight code-based identification and signature Philippe Gaborit XLIM-DMI, Université de Limoges, 123 av Albert Thomas, 87000, Limoges, France Email: gaborit@unilimfr Marc Girault France Télécom Division
More informationThe van Hoeij Algorithm for Factoring Polynomials
The van Hoeij Algorithm for Factoring Polynomials Jürgen Klüners Abstract In this survey we report about a new algorithm for factoring polynomials due to Mark van Hoeij. The main idea is that the combinatorial
More informationContinued Fractions and the Euclidean Algorithm
Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction
More informationModern Block Cipher Standards (AES) Debdeep Mukhopadhyay
Modern Block Cipher Standards (AES) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Introduction
More informationMasao KASAHARA. Public Key Cryptosystem, Error-Correcting Code, Reed-Solomon code, CBPKC, McEliece PKC.
A New Class of Public Key Cryptosystems Constructed Based on Reed-Solomon Codes, K(XII)SEPKC. Along with a presentation of K(XII)SEPKC over the extension field F 2 8 extensively used for present day various
More informationHill s Cipher: Linear Algebra in Cryptography
Ryan Doyle Hill s Cipher: Linear Algebra in Cryptography Introduction: Since the beginning of written language, humans have wanted to share information secretly. The information could be orders from a
More informationLinear Codes. Chapter 3. 3.1 Basics
Chapter 3 Linear Codes In order to define codes that we can encode and decode efficiently, we add more structure to the codespace. We shall be mainly interested in linear codes. A linear code of length
More informationBoolean Functions for Cryptography and Error Correcting Codes
Boolean Functions for Cryptography and Error Correcting Codes Claude Carlet LAGA, University of Paris 8, France; e-mail: claude.carlet@univ-paris8.fr. 1 Contents 1 Introduction 5 Generalities on Boolean
More information1 Review of Newton Polynomials
cs: introduction to numerical analysis 0/0/0 Lecture 8: Polynomial Interpolation: Using Newton Polynomials and Error Analysis Instructor: Professor Amos Ron Scribes: Giordano Fusco, Mark Cowlishaw, Nathanael
More informationSolutions of Linear Equations in One Variable
2. Solutions of Linear Equations in One Variable 2. OBJECTIVES. Identify a linear equation 2. Combine like terms to solve an equation We begin this chapter by considering one of the most important tools
More informationRecall that two vectors in are perpendicular or orthogonal provided that their dot
Orthogonal Complements and Projections Recall that two vectors in are perpendicular or orthogonal provided that their dot product vanishes That is, if and only if Example 1 The vectors in are orthogonal
More informationECE 842 Report Implementation of Elliptic Curve Cryptography
ECE 842 Report Implementation of Elliptic Curve Cryptography Wei-Yang Lin December 15, 2004 Abstract The aim of this report is to illustrate the issues in implementing a practical elliptic curve cryptographic
More informationNSM100 Introduction to Algebra Chapter 5 Notes Factoring
Section 5.1 Greatest Common Factor (GCF) and Factoring by Grouping Greatest Common Factor for a polynomial is the largest monomial that divides (is a factor of) each term of the polynomial. GCF is the
More informationminimal polyonomial Example
Minimal Polynomials Definition Let α be an element in GF(p e ). We call the monic polynomial of smallest degree which has coefficients in GF(p) and α as a root, the minimal polyonomial of α. Example: We
More informationPublic Key Cryptography: RSA and Lots of Number Theory
Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver
More informationVieta s Formulas and the Identity Theorem
Vieta s Formulas and the Identity Theorem This worksheet will work through the material from our class on 3/21/2013 with some examples that should help you with the homework The topic of our discussion
More informationFactoring Algorithms
Institutionen för Informationsteknologi Lunds Tekniska Högskola Department of Information Technology Lund University Cryptology - Project 1 Factoring Algorithms The purpose of this project is to understand
More informationFactorization Algorithms for Polynomials over Finite Fields
Degree Project Factorization Algorithms for Polynomials over Finite Fields Sajid Hanif, Muhammad Imran 2011-05-03 Subject: Mathematics Level: Master Course code: 4MA11E Abstract Integer factorization is
More informationCHAPTER 5. Number Theory. 1. Integers and Division. Discussion
CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a
More informationEquations, Inequalities & Partial Fractions
Contents Equations, Inequalities & Partial Fractions.1 Solving Linear Equations 2.2 Solving Quadratic Equations 1. Solving Polynomial Equations 1.4 Solving Simultaneous Linear Equations 42.5 Solving Inequalities
More informationPrinciples of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms
Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More information3.6. Partial Fractions. Introduction. Prerequisites. Learning Outcomes
Partial Fractions 3.6 Introduction It is often helpful to break down a complicated algebraic fraction into a sum of simpler fractions. For 4x + 7 example it can be shown that x 2 + 3x + 2 has the same
More informationCOMP 250 Fall 2012 lecture 2 binary representations Sept. 11, 2012
Binary numbers The reason humans represent numbers using decimal (the ten digits from 0,1,... 9) is that we have ten fingers. There is no other reason than that. There is nothing special otherwise about
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards
More informationSection 1.4. Lines, Planes, and Hyperplanes. The Calculus of Functions of Several Variables
The Calculus of Functions of Several Variables Section 1.4 Lines, Planes, Hyperplanes In this section we will add to our basic geometric understing of R n by studying lines planes. If we do this carefully,
More informationCryptography and Network Security Chapter 9
Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,
More informationFactoring - Solve by Factoring
6.7 Factoring - Solve by Factoring Objective: Solve quadratic equation by factoring and using the zero product rule. When solving linear equations such as 2x 5 = 21 we can solve for the variable directly
More informationNOTES ON LINEAR TRANSFORMATIONS
NOTES ON LINEAR TRANSFORMATIONS Definition 1. Let V and W be vector spaces. A function T : V W is a linear transformation from V to W if the following two properties hold. i T v + v = T v + T v for all
More informationLecture 3: Finding integer solutions to systems of linear equations
Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture
More informationAn efficient and provably secure public key encryption scheme based on coding theory
SECUITY AND COMMUNICATION NETWOKS Security Comm. Networks (2010) Published online in Wiley Online Library (wileyonlinelibrary.com)..274 ESEACH ATICLE An efficient and provably secure public key encryption
More informationPublic Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography
Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt
More informationKALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard
KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard Dr. Gavekort c/o Vakiopaine Bar Kauppakatu 6, 41 Jyväskylä FINLAND mjos@iki.fi Abstract. We have discovered that the
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationThe application of prime numbers to RSA encryption
The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered
More informationLINEAR EQUATIONS IN TWO VARIABLES
66 MATHEMATICS CHAPTER 4 LINEAR EQUATIONS IN TWO VARIABLES The principal use of the Analytic Art is to bring Mathematical Problems to Equations and to exhibit those Equations in the most simple terms that
More informationInner product. Definition of inner product
Math 20F Linear Algebra Lecture 25 1 Inner product Review: Definition of inner product. Slide 1 Norm and distance. Orthogonal vectors. Orthogonal complement. Orthogonal basis. Definition of inner product
More informationSquaring, Cubing, and Cube Rooting
Squaring, Cubing, and Cube Rooting Arthur T. Benjamin Harvey Mudd College Claremont, CA 91711 benjamin@math.hmc.edu I still recall my thrill and disappointment when I read Mathematical Carnival [4], by
More informationNotes on Orthogonal and Symmetric Matrices MENU, Winter 2013
Notes on Orthogonal and Symmetric Matrices MENU, Winter 201 These notes summarize the main properties and uses of orthogonal and symmetric matrices. We covered quite a bit of material regarding these topics,
More informationCSE 135: Introduction to Theory of Computation Decidability and Recognizability
CSE 135: Introduction to Theory of Computation Decidability and Recognizability Sungjin Im University of California, Merced 04-28, 30-2014 High-Level Descriptions of Computation Instead of giving a Turing
More informationCryptography and Network Security
Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared
More informationFactoring polynomials over finite fields
Factoring polynomials over finite fields Summary and et questions 12 octobre 2011 1 Finite fields Let p an odd prime and let F p = Z/pZ the (unique up to automorphism) field with p-elements. We want to
More informationLecture 10: Distinct Degree Factoring
CS681 Computational Number Theory Lecture 10: Distinct Degree Factoring Instructor: Piyush P Kurur Scribe: Ramprasad Saptharishi Overview Last class we left of with a glimpse into distant degree factorization.
More informationa 11 x 1 + a 12 x 2 + + a 1n x n = b 1 a 21 x 1 + a 22 x 2 + + a 2n x n = b 2.
Chapter 1 LINEAR EQUATIONS 1.1 Introduction to linear equations A linear equation in n unknowns x 1, x,, x n is an equation of the form a 1 x 1 + a x + + a n x n = b, where a 1, a,..., a n, b are given
More information7 Gaussian Elimination and LU Factorization
7 Gaussian Elimination and LU Factorization In this final section on matrix factorization methods for solving Ax = b we want to take a closer look at Gaussian elimination (probably the best known method
More informationArithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28
Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer
More informationMATH 304 Linear Algebra Lecture 9: Subspaces of vector spaces (continued). Span. Spanning set.
MATH 304 Linear Algebra Lecture 9: Subspaces of vector spaces (continued). Span. Spanning set. Vector space A vector space is a set V equipped with two operations, addition V V (x,y) x + y V and scalar
More informationFactoring Polynomials
Factoring Polynomials Hoste, Miller, Murieka September 12, 2011 1 Factoring In the previous section, we discussed how to determine the product of two or more terms. Consider, for instance, the equations
More informationMathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information
The : Keeping Eve The Eavesdropper Away From Your Credit Card Information Department of Mathematics North Dakota State University 16 September 2010 Science Cafe Introduction Disclaimer: is not an internet
More informationHow To Prove The Dirichlet Unit Theorem
Chapter 6 The Dirichlet Unit Theorem As usual, we will be working in the ring B of algebraic integers of a number field L. Two factorizations of an element of B are regarded as essentially the same if
More informationFactoring pq 2 with Quadratic Forms: Nice Cryptanalyses
Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses Phong Nguyễn http://www.di.ens.fr/~pnguyen & ASIACRYPT 2009 Joint work with G. Castagnos, A. Joux and F. Laguillaumie Summary Factoring A New Factoring
More informationMATH 423 Linear Algebra II Lecture 38: Generalized eigenvectors. Jordan canonical form (continued).
MATH 423 Linear Algebra II Lecture 38: Generalized eigenvectors Jordan canonical form (continued) Jordan canonical form A Jordan block is a square matrix of the form λ 1 0 0 0 0 λ 1 0 0 0 0 λ 0 0 J = 0
More informationLecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay
Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie
More informationLecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay
Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems Up to this point, we have mainly seen how ciphers are implemented. We
More informationK80TTQ1EP-??,VO.L,XU0H5BY,_71ZVPKOE678_X,N2Y-8HI4VS,,6Z28DDW5N7ADY013
Hill Cipher Project K80TTQ1EP-??,VO.L,XU0H5BY,_71ZVPKOE678_X,N2Y-8HI4VS,,6Z28DDW5N7ADY013 Directions: Answer all numbered questions completely. Show non-trivial work in the space provided. Non-computational
More informationSimilarity and Diagonalization. Similar Matrices
MATH022 Linear Algebra Brief lecture notes 48 Similarity and Diagonalization Similar Matrices Let A and B be n n matrices. We say that A is similar to B if there is an invertible n n matrix P such that
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic
More informationBasic Algorithms In Computer Algebra
Basic Algorithms In Computer Algebra Kaiserslautern SS 2011 Prof. Dr. Wolfram Decker 2. Mai 2011 References Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, 1993. Cox, D.; Little,
More informationON GALOIS REALIZATIONS OF THE 2-COVERABLE SYMMETRIC AND ALTERNATING GROUPS
ON GALOIS REALIZATIONS OF THE 2-COVERABLE SYMMETRIC AND ALTERNATING GROUPS DANIEL RABAYEV AND JACK SONN Abstract. Let f(x) be a monic polynomial in Z[x] with no rational roots but with roots in Q p for
More informationThe Method of Partial Fractions Math 121 Calculus II Spring 2015
Rational functions. as The Method of Partial Fractions Math 11 Calculus II Spring 015 Recall that a rational function is a quotient of two polynomials such f(x) g(x) = 3x5 + x 3 + 16x x 60. The method
More informationDecember 4, 2013 MATH 171 BASIC LINEAR ALGEBRA B. KITCHENS
December 4, 2013 MATH 171 BASIC LINEAR ALGEBRA B KITCHENS The equation 1 Lines in two-dimensional space (1) 2x y = 3 describes a line in two-dimensional space The coefficients of x and y in the equation
More informationA SOFTWARE COMPARISON OF RSA AND ECC
International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138
More information1 Short Introduction to Time Series
ECONOMICS 7344, Spring 202 Bent E. Sørensen January 24, 202 Short Introduction to Time Series A time series is a collection of stochastic variables x,.., x t,.., x T indexed by an integer value t. The
More information1 Solving LPs: The Simplex Algorithm of George Dantzig
Solving LPs: The Simplex Algorithm of George Dantzig. Simplex Pivoting: Dictionary Format We illustrate a general solution procedure, called the simplex algorithm, by implementing it on a very simple example.
More informationBasics of Polynomial Theory
3 Basics of Polynomial Theory 3.1 Polynomial Equations In geodesy and geoinformatics, most observations are related to unknowns parameters through equations of algebraic (polynomial) type. In cases where
More information160 CHAPTER 4. VECTOR SPACES
160 CHAPTER 4. VECTOR SPACES 4. Rank and Nullity In this section, we look at relationships between the row space, column space, null space of a matrix and its transpose. We will derive fundamental results
More informationis identically equal to x 2 +3x +2
Partial fractions 3.6 Introduction It is often helpful to break down a complicated algebraic fraction into a sum of simpler fractions. 4x+7 For example it can be shown that has the same value as 1 + 3
More informationCritical points via monodromy and local methods
Critical points via monodromy and local methods Abraham Martín del Campo joint w/ Jose Rodriguez (U. Notre Dame) SIAM Conference on Applied Algebraic Geometry August 3, 2015 Abraham Martín del Campo (IST)
More informationOn the coefficients of the polynomial in the number field sieve
On the coefficients of the polynomial in the number field sieve Yang Min a, Meng Qingshu b,, Wang Zhangyi b, Li Li a, Zhang Huanguo b a International School of Software, Wuhan University, Hubei, China,
More informationAu = = = 3u. Aw = = = 2w. so the action of A on u and w is very easy to picture: it simply amounts to a stretching by 3 and 2, respectively.
Chapter 7 Eigenvalues and Eigenvectors In this last chapter of our exploration of Linear Algebra we will revisit eigenvalues and eigenvectors of matrices, concepts that were already introduced in Geometry
More informationDiscrete Mathematics, Chapter 4: Number Theory and Cryptography
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility
More informationFACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY
FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this
More informationChapter 17. Orthogonal Matrices and Symmetries of Space
Chapter 17. Orthogonal Matrices and Symmetries of Space Take a random matrix, say 1 3 A = 4 5 6, 7 8 9 and compare the lengths of e 1 and Ae 1. The vector e 1 has length 1, while Ae 1 = (1, 4, 7) has length
More informationFactoring Algorithms
Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12 Fermat s factoring method Fermat made the observation that if n has two factors
More informationThe Characteristic Polynomial
Physics 116A Winter 2011 The Characteristic Polynomial 1 Coefficients of the characteristic polynomial Consider the eigenvalue problem for an n n matrix A, A v = λ v, v 0 (1) The solution to this problem
More informationis identically equal to x 2 +3x +2
Partial fractions.6 Introduction It is often helpful to break down a complicated algebraic fraction into a sum of simpler fractions. 4x+7 For example it can be shown that has the same value as + for any
More information= 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that
Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without
More informationFactoring. Factoring 1
Factoring Factoring 1 Factoring Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and RSA is broken o Rabin cipher also based on factoring Factoring like
More informationCryptography for the paranoid. Daniel J. Bernstein (University of Illinois at Chicago, Technische Universiteit Eindhoven)
Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische Universiteit Eindhoven) Based on joint work with: Tanja Lange (Technische Universiteit Eindhoven) Christiane
More informationThe Advanced Encryption Standard (AES)
The Advanced Encryption Standard (AES) Conception - Why A New Cipher? Conception - Why A New Cipher? DES had outlived its usefulness Vulnerabilities were becoming known 56-bit key was too small Too slow
More information1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies
1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?
More information8.2. Solution by Inverse Matrix Method. Introduction. Prerequisites. Learning Outcomes
Solution by Inverse Matrix Method 8.2 Introduction The power of matrix algebra is seen in the representation of a system of simultaneous linear equations as a matrix equation. Matrix algebra allows us
More informationMATH1231 Algebra, 2015 Chapter 7: Linear maps
MATH1231 Algebra, 2015 Chapter 7: Linear maps A/Prof. Daniel Chan School of Mathematics and Statistics University of New South Wales danielc@unsw.edu.au Daniel Chan (UNSW) MATH1231 Algebra 1 / 43 Chapter
More informationAPP INVENTOR. Test Review
APP INVENTOR Test Review Main Concepts App Inventor Lists Creating Random Numbers Variables Searching and Sorting Data Linear Search Binary Search Selection Sort Quick Sort Abstraction Modulus Division
More informationHow To Encrypt Data With A Power Of N On A K Disk
Towards High Security and Fault Tolerant Dispersed Storage System with Optimized Information Dispersal Algorithm I Hrishikesh Lahkar, II Manjunath C R I,II Jain University, School of Engineering and Technology,
More informationRSA and Primality Testing
and Primality Testing Joan Boyar, IMADA, University of Southern Denmark Studieretningsprojekter 2010 1 / 81 Correctness of cryptography cryptography Introduction to number theory Correctness of with 2
More informationLinear Codes and Applications in Cryptography
Linear Codes and Applications in Cryptography MASTER S THESIS submitted in partial fulfillment of the requirements for the degree of Master of Science (MSc) in Mathematics in Computer Science by Matthias
More informationNotes on Network Security Prof. Hemant K. Soni
Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications
More informationPractical Cryptanalysis of SFLASH
Practical Cryptanalysis of SFLASH Vivien Dubois 1, Pierre-Alain Fouque 1, Adi Shamir 1,2, and Jacques Stern 1 1 École normale supérieure Département d Informatique 45, rue d Ulm 75230 Paris cedex 05, France
More informationMath Common Core Sampler Test
High School Algebra Core Curriculum Math Test Math Common Core Sampler Test Our High School Algebra sampler covers the twenty most common questions that we see targeted for this level. For complete tests
More informationSECRET sharing schemes were introduced by Blakley [5]
206 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006 Secret Sharing Schemes From Three Classes of Linear Codes Jin Yuan Cunsheng Ding, Senior Member, IEEE Abstract Secret sharing has
More informationMATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction
MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key
More information